Linux Admin Reference – SUDO Configuration in RedHat Enterprise Linux

Sudo is different from the su command and is more flexible and more secure. The sudo command allows users to do tasks on a Red Hat Enterprise Linux system as another user. One significant advantage is that it can log usage. By default the program saves log data in the file /var/log/secure.

The sudo program uses a configuration file /etc/sudoers to store rules that are used to decide whether a command is allowed or not. It is recommended that a program visudo provided by the sudo package be used to edit the /etc/sudoers file.

Configuring SUDO to allow normal users to use Root Commands

A special group ‘wheel’ exists on a Red Hat Enterprise Linux system that is traditionally used for privileged activity. Add to the user the supplementary group ‘wheel’ (this command must be done as root):

    # usermod -aG wheel normaluser

Verify that the user is now a member of the group wheel:

    # groups normaluser
    normaluser : normaluser wheel

Edit the file /etc/sudoers using the visudo command:

    # sudoers file.
    #
    # This file MUST be edited with the ‘visudo’ command as root.
    #
    # See the sudoers man page for the details on how to write a sudoers file.
    #
    # Host alias specification
    # User alias specification
    # Cmnd alias specification
    # Defaults specification
    # User privilege specification
    root    ALL=(ALL) ALL
    # Uncomment to allow people in group wheel to run all commands
    # %wheel ALL=(ALL)       ALL
    # Same thing without a password
    # %wheel        ALL=(ALL)       NOPASSWD: ALL
    # Samples
    # %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
    # %users  localhost=/sbin/shutdown -h now

Notice that the /etc/sudoers file has examples and comments. To allow members of the group ‘wheel’ to run commands through sudo as root, uncomment the line:

 …
    # Uncomment to allow people in group wheel to run all commands
    %wheel ALL=(ALL)       ALL
    …

Now run the privileged commands again as normaluser:

    $ sudo /sbin/service sendmail restart
    Password:
    Shutting down sendmail:                                    [  OK  ]
    Shutting down sm-client:                                   [  OK  ]
    Starting sendmail:                                         [  OK  ]
    Starting sm-client:                                        [  OK  ]

The /var/log/secure file will also record the successfull use of sudo:

    # tail /var/log/secure
    …
    Aug  2 15:05:49 somehost sudo:  normaluser : TTY=pts/2 ;
    PWD=/home/normaluser ; USER=root ;
    COMMAND=/sbin/service sendmail restart

Configuring SUDO permission to a normal user for a Specific Set of Commands

Create a common group called “privusers” . Then add the group “privusers” as the secondary group for the username you want to act as sudo user

  # groupadd privusers
   # useradd -G privusers user1
Please check/confirm that user name and groups are assigned properly. For example
 # cat /etc/passwd | grep user1
    user1:x:501:501::/home/user1:/bin/bash
    # cat /etc/group | grep user1
    privusers:x:500:user1
    user1:x:501:

Now, execute the command visudo on command line.

# visudo

Created an alias PRIVUSERS , then added the sudo user name. This will give you the flexibility to add more names in future .

    User_Alias PRIVUSERS = user1

Created another alias PRIVSERVICES , so that the same alias can refer more than one commands based on requirement.

    Cmnd_Alias PRIVSERVICES = /sbin/fdisk

Assign the alias to sudo groups by

    %privusers ALL = PRIVSERVICES

Save , exit from visudo. Login as sudo user, then check the commands

$ sudo /sbin/fdisk -l
    Password:    <=== Password of user1

    Disk /dev/hda: 5242 MB, 5242880000 bytes
    255 heads, 63 sectors/track, 637 cylinders
    Units = cylinders of 16065 * 512 = 8225280 bytes

       Device Boot      Start         End      Blocks   Id  System
    /dev/hda1   *           1          13      104391   83  Linux
    /dev/hda2              14         637     5012280   8e  Linux LVM
Note: user “user1” can’t run any command which is not mentioned in command alias .

$ sudo /bin/su
    Sorry, user user1 is not allowed to execute ‘/bin/su’ as root on <hostname>

 

Configuring Sudo access to a user  to “su” ( to root) without a password prompt

To use sudo with su to login as another user without requiring a password, add the following to /etc/sudoers:

(root@localhost~)# visudo
    user1  ALL=NOPASSWD: /bin/su – user2

Now try to login using below command, which should not prompt for password:

(user1@localhost~)$ sudo su – user2